Official Indian word on Stuxnet’s effect

Minister of State for Communications & Information Technology has provided the official version of the impact of Stuxnet on critical infrastructures in India. In a reply to a written question in Rajya Sabha on 11th March, he provided the information that:

Some computer systems in India were also infected by the Stuxnet, but none of the infections have so far been reported in sensitive Industrial systems.

He then goes on to explain the steps being taken to tackle the problem of virus and protection of sensitive installations in the country, which includes the use of alerts and advisories being produced by CERT-In and workshops being conducted by it. With such a mandate one would assume CERT-In is on the top of things at least when it comes to issuing advisories. Not so! They issued the advisory on Stuxnet on July 23rd 2010, long after Virusblokada reported W32.Stuxnet (June 17), Microsoft issued the advisory 2286198 (July 16) and after Siemens report that it is investigating reports that the malware is infecting the SCADA systems (July 19). With such a lag in issuing the advisory, it would be hard to give CERT-In any credit for the reported absence of Stuxnet in “sensitive Industrial systems”.

As usual these official press releases opens up more questions. For one, where exactly were the computer systems that were infected by Stuxnet found? This is second to the more intriguing question – what is with the title of the press release – “Protection of Sensitive Installations from but ‘Free Virus’”?